Does a company have adequate insurance for cyber incidents?

• Author: Millard, Mark
• Position: RISK MANAGEMENT

Cyber incidents where computer systems have been breached have become commonplace in the news today with large and small companies alike being impacted. These incidents are prompting boards to question whether they have adequate protection against potential cyber-attacks on their own companies. Exposure to cyber loss arises from numerous sources, including employees, vendors, clients, governments and criminal elements. Impacts include first party loss (e.g., damage to systems, data loss, etc.) and third party liability (e.g., liability for loss of personal information, fines and penalties, credit monitoring, etc.).

Short of turning off all your computers and using the postal service as your sole method of communication, no level of security protection is guaranteed to completely mitigate exposure to cyber damage and liability. It is critical that companies evaluate their frequency and severity exposure to cyber claims and understand how to mitigate that exposure through insurance and contractual risk transfer.

Cyber modeling, benchmarking, and limit selection

Cyber modeling and benchmarking are tools to assist companies with determining how much insurance to purchase and how much risk to retain. The current state of cyber modeling uses past cyber attack event data to predict what future cyber attacks will occur and to what extent. This information helps insureds understand their first and third party cyber exposure and tailor their insurance programs to fit their needs. Once it is understood what exposures a company is facing and what the insurable and uninsurable aspects are, the appropriate limits of insurance and retention can be calculated.

One of the main weaknesses with cyber modeling is the limited cost data available for cyber-attack and breach experience. For cyber modeling to be sufficiently accurate, cost data must be widely available. Some companies are unwilling to publicize their exact loss counts because it can pose a reputational risk to the business. Another major issue with cyber modeling is that loss from human error can be mixed in with the cyber breach data, improperly skewing the data and results.

While cyber modeling continues to make great strides, it has not yet advanced to predict future trends with a high degree of precision. Cyber modeling must be capable of understanding the cyber exposure, and its frequency and severity, which will allow companies to further understand the insurable and uninsurable aspects of...